主页 / user-112949

Dan's questions

Martin Hope
Dan
Asked: 2018-01-25 15:45:41 +0800 CST
  • 3

我正在分析一些 packetfilter 日志,并想为一些输出制作一个漂亮的表格,当我使用column -t. 在这种情况下,我不能使用制表符作为我的输出字段分隔符 (OFS),因为它会在表视图中显示多词字符串字段。

我的原始数据包含这样的行:

2018:01:24-09:31:21 asl ulogd[24090]: id="2103" severity="info" sys="SecureNet" sub="ips" name="SYN flood detected" action="SYN flood" fwrule="50018" initf="eth0" srcmac="12:34:56:78:90:ab" dstmac="cd:ef:01:23:45:67" srcip="192.168.1.123" dstip="151.101.65.69" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="59761" dstport="80" tcpflags="SYN"

我使用以下方法将数据转换为逗号分隔 (CSV) 格式:

grep -EHr "192\.168\.1\.123" | 
cut -d':' -f2- | 
awk -F '"' 'BEGIN{
    OFS=","; 
    print "name","action","srcip","srcport","dstip","dstport","protocol","tcpflags"
}
{
    print $10,$12,$22,$36,$24,$38,$26,$(NF-1)
}'

这工作正常并产生这种输出(IP 地址都改变了,我真的没有一个内部主机淹没这个网站):

name,action,srcip,srcport,dstip,dstport,protocol,tcpflags
SYN flood detected,SYN flood,192.168.1.123,59761,151.101.65.69,80,6,SYN
SYN flood detected,SYN flood,192.168.1.123,59764,151.101.65.69,80,6,SYN
SYN flood detected,SYN flood,192.168.1.123,59769,151.101.65.69,80,6,SYN
SYN flood detected,SYN flood,192.168.1.123,59771,151.101.65.69,80,6,SYN
SYN flood detected,SYN flood,192.168.1.123,59772,151.101.65.69,80,6,SYN
SYN flood detected,SYN flood,192.168.1.123,59890,151.101.65.69,80,6,SYN
SYN flood detected,SYN flood,192.168.1.123,60002,151.101.65.69,80,6,SYN
SYN flood detected,SYN flood,192.168.1.123,60005,151.101.65.69,80,6,SYN
SYN flood detected,SYN flood,192.168.1.123,60006,151.101.65.69,80,6,SYN

出于某种原因,每当我用于column显示表输出 ( -t) 时,它都会在原始数据中不存在换行符的第一列之后添加一个换行符。例如:

$ cat mydata.csv | column -s ',' -t
name
                                action     srcip           srcport  dstip          dstport  protocol  tcpflags
SYN flood detected
                                SYN flood  192.168.1.123   59761    151.101.65.69  80       6         SYN
SYN flood detected
                                SYN flood  192.168.1.123   59764    151.101.65.69  80       6         SYN
SYN flood detected
                                SYN flood  192.168.1.123   59769    151.101.65.69  80       6         SYN

预期输出如下:

name                 action     srcip           srcport  dstip          dstport  protocol  tcpflags
SYN flood detected   SYN flood  192.168.1.123   59761    151.101.65.69  80       6         SYN
SYN flood detected   SYN flood  192.168.1.123   59764    151.101.65.69  80       6         SYN
SYN flood detected   SYN flood  192.168.1.123   59769    151.101.65.69  80       6         SYN

添加-xcolumn也没有区别,指定列数也没有区别-c(我在终端中有足够的屏幕宽度)。当原始数据中没有换行符时,为什么要这样做?

我真的不认为它是我数据中的一个字符,因为它也发生在我在awkBEGIN 块中创建的标题列中。

awk filter